Stolen information from RSA Security may have been used to hack into Lockheed Martin's secure servers, say sources. (Source: RSA Security)

Lockheed claims information on its fighter projects and government-contracted IT storage was NOT stolen. The company says it quickly countered the "sophisticated" attack.

Company claims fighter project schematics and hosted government information were not leaked

Over a
week has passed and Lockheed Martin Corp. (LMT),
the U.S. government's top information technology services provider, was hacked.
The attack has been characterized as a "fairly subtle", yet
"significant and tenacious" attack on servers at its
massive Gaithersburg, Maryland data center, located not far from the
company headquarters in Bethesda.

As details emerge the attack is appearing more and more like it was lifted out of a spy movie or Tom Clancy
novel. The hackers appeared to have gained entry using information stolen
in a separate, even more audacious attack of one of the world's highest profile
security firms.

I. RSA Sec. Breach -- Prelude to the Lockheed Martin Attack?

Back in March hackers gained access to RSA Security's servers.
RSA Sec. takes its name from the last initials of founders Ron Rivest,
Adi Shamir, and Leonard Adleman, three top cryptographers. The trio's
popular public-key cryptography algorithm shares the same name -- RSA.

At the time of the RSA Sec. intrusion, the company commented that despite
the fact that it believed information was stolen, the company did not believe
customer information or the security of the company's software products were
not comprised. Yet, they did advise clients to follow online advice to safeguard
themselves against possible fallout from the data loss.

The attack on RSA was described as "extremely sophisticated".

Sources close to Lockheed point to compromised RSA SecurID tokens --
USB keychain dongles that generate strings of numbers for cryptography purposes
-- as playing a pivotal role in the Lockheed Martin hack.

II. Damage Control

Hackers are believed to have entered Lockheed Martin's servers by gaining
illegitimate access to the company's virtual private network (VPN). The
VPN allowed employees to connect over virtually any public network to the
company's primary servers, using information streams secured by cryptography.

With the RSA tokens hacked, though, those supposedly secure VPN connections
were compromised.

Lockheed says that it detected the attack "almost immediately" and
warded it off quickly. The company has since brought the VPN back online,
but not before "upgrades" to the RSA tokens and adding new layers of
security to the remote login procedure.

III. What Was Lost?

At this point the question on everyone's mind likely is "What was
lost?"

Lockheed has cause for concern -- the company is not only safeguarding a wealth
of U.S. government military information from external sources, it's also
protecting its own valuable projects -- the F-16, F-22 and F-35 fighter
aircraft; the Aegis naval combat system; and the THAAD missile defense.

A U.S. Defense Department spokeswoman, Air Force Lieutenant Colonel April
Cunningham toldReuters Saturday night that
the risk from the breach was "minimal and we [the USAF] don't expect any
adverse effect."

Now that the Pentagon is involved, if anything was stolen, it
should be identified shortly.

IV. Who Attacked Lockheed Martin?

After the pressing issue of what was lost, perhaps the second most compelling
question is who was behind the breach. Military officials and security
staff at Lockheed are looking for clues in local time stamped information
stored on the server and IP logs, trying to find out who accessed the
compromised systems from where and when.

The problem is not easy as hackers commonly reroute their malicious traffic
through multiple proxies, disguising their location. That said, given the
nature of attack -- take down one of the world's top security firms and then
use that information to compromise a top defense contractor -- involvement by a
foreign government is suspected.

Lockheed posted a job listing last week requesting the services of a "lead
computer forensic examiner". Requirements included someone who could
"attack signatures, tactics, techniques and procedures associated with
advanced threats" and "reverse engineer attacker encoding
protocols." The cyber forensics expert's first task will likely be
to try to pinpoint the identity of the attacker.

The most likely suspect is obviously China, with whom the U.S. government has
been waging a "cyberwar" with for a
decade now. China hires freelance hackers and maintains a large military
force of official hackers as well. It uses this force to infiltrate
international utilities, businesses, government servers, and defense
contractors, looking for valuable information.

China has recently been testing a stealth jet, the J-20, which contains
features curiously similar to those found on past Lockheed
Martin designs. China insists, though, that it did not use stolen
information to build its new weapon.

V. One Million Threats

Lockheed Martin's IT staff say they encounter 1 million "incidents" a
day. They have to filter through these, distinguishing "white
noise" from serious threats.

The Maryland data center from which information was taken is a state of the art
facility, built in 2008. It covers 25,000 square-feet and cost $17M USD
to build. But even with relatively modern systems and protections,
defenses were still not strong enough to hold off the sophisticated and savvy
attacker.

The company has a separate back-up data center in Denver, Colorado, which
shares some of the company's contract workload. That center is not
believed to have been breached in the intrusion.

Going ahead, Lockheed Martin will invariably face pressure from the U.S.
Military and Congress to do a better job in making its systems breach-proof.
But given the company's budget versus China's virtually blank check given
to cyber security efforts, one has to wonder how much the company will be able
to do with so little.

Sondra Barbour, the company's chief information officer, reminded employees in
an email, "The fact is, in this new reality, we are a frequent target of
adversaries around the world."

Comments

Threshold

Username

Password

remember me

This article is over a month old, voting and posting comments is disabled

Possibly a foreign government breaks into the system of a security firm defending many high profile companies, and then uses that to gain access to the network of one of the US's most important defense contractors, one that is responsible for the next generation of air power.

Sigh... No, you're probably not the only one worried about your WoW account.

If I recall correctly, shortly after the WoW authenticators came out there were hackers who defeated them. I believe there was malware involved that intercepted the login credentials then displayed a logon error to the user. In the meantime, it sent the login data to a remote system that would attempt to access the account during the window in which the authenticator key was still valid.

quote: You mean they used a key logger coupled with a phishing site? They didnt defeat the rsa system, they defeated the user's intelligence.

No, I meant exactly what I said. The hackers found a hole in the system and exploited it using a modified version of the same sort of tactics (malware w/ keyloggers, etc.) they had been using successfully for quite sometime. Just because people fell for it doesn't make them dumb. Smart people get bamboozled every day (look how many intelligent people were fooled then financially ruined by Madoff).

Most people are not security experts and there was a general perception among many WoW players that the authenticator made an account 100% secure. If the attackers preyed on anything related to users, it was users' ignorance (as per usual) in conjunction with a vulnerability.

After all, I'm sure Blizzard was aware that this sort of man-in-the-middle attack was still an issue, but they didn't go out of their way to advertise that when they were pushing authenticators. They knew another security layer with a high rate of adoption would make their system more secure and would reduce the number of compromised accounts.

Blizzard needs to step up their security anyway. They don't even accept special characters in passwords, which basically that if someone is able to get a hold of some password Hashing info, they can just rainbow table your password pretty easily. The fact that Blizzard *only* has RSA tokens as an advanced form of security shows how little they give a crap. Despite the fact that their poor security is costing them probably hundreds of thousands of dollars a year in Customer Support costs and lost subscriptions due to hacking.

You are right to an extent, but a company like Blizzard must walk a very thin line when it comes to security and usability. I'm sure there has been a lot of hand wringing going on at their HQ over the constant flood of compromised accounts, but at the same time the solutions they implement need to be carefully thought out so as not to drive away customers by making the game less fun or inconvenient.

No one on Blizzard's security team wants to be the person who killed the goose that was laying golden eggs. They don't want to lose customers because they can't secure their accounts, but at the same time they don't want to implement strong yet unpopular security measures that could drive away even more customers. I have a feeling they know exactly where the break even point is for several solutions they could implement and are just waiting to get there to start rolling out new security features.

I've had my account hacked once a few months ago, and several in my guild have also been hacked in the past. We all have authenticators, it cuts down on the hacked accounts, but doesn't stop it completely.

Yeah I think they got me through some kind of in-game hack. I had scanned my machine with several anti-malware and virus scanners. Bought an authenticator, 2 months later somehow I got booted and my stuff sold.

According to every other news source I can find nothing was lost (according to the government and Lockheed ;) ), and the breach was from a phishing style attack which delivered a key logging trojan which seems to have been attempting to grab the pins and user names, without which the RSA information is useless.

The RSA hack does not mean the VPN security was useless, you would still need the additional account information to use the token. Whilst replacing all the tokens and forcing password changes maybe could have been made as soon as the RSA breach was discovered (easy to wise after the fact) without the full details of what the hackers took from RSA and the limited guidance provided by them it probably wasn't considered necessary.

You could now surmise that at the very least the RSA seed files were compromised, the change of tokens should resolve that issue. combined with a change of password/PIN the issue probably looks better as speculation and supposition plastered all over the press than fact in the hacking history books.

quote: The Maryland data center from which information was taken is a state of the art facility, built in 2008. It covers 25,000 square-feet and cost $17M USD to build. But even with relatively modern systems and protections, defenses were still not strong enough to hold off the sophisticated and savvy attacker.